PIX to replace router

Discussion in 'Cisco' started by J1C, Oct 21, 2005.

  1. J1C

    J1C Guest

    I have an aged Linksys router that connects to a DSL modem that I would
    like to replace with a PIX. I have 5 static IP addresses assigned from
    the ISP. What would the basic config look like? I can't seem to find
    anything Cisco. Maybe I'm looking in the wrong spot?
     
    J1C, Oct 21, 2005
    #1
    1. Advertisements

  2. :I have an aged Linksys router that connects to a DSL modem that I would
    :like to replace with a PIX. I have 5 static IP addresses assigned from
    :the ISP. What would the basic config look like? I can't seem to find
    :anything Cisco. Maybe I'm looking in the wrong spot?

    ip address - one of these per interface

    static (inside,outside) - one of these per IP or port you want to act
    as a public server

    access-list -- several lines if you want any device to act as a public
    server

    access-group -- at most one of these per interface

    nat (inside) -- at least one of these unless all inside systems will be
    named in a static command

    global -- at least one of these unless all inside systems will be named in
    nat commands

    Then you get your various overhead commands like controlling remote ssh
    access to the PIX, or controlling how authentication is done, or controlling
    timeouts.

    There are a number of other configuration aspects that do not come into
    play until you get into Virtual Private Networks.
     
    Walter Roberson, Oct 21, 2005
    #2
    1. Advertisements

  3. J1C

    J1C Guest

    Thanks Walter. How could I set the pix up to block all outbound traffic
    but http, https, smtp, pop3 ??
     
    J1C, Oct 24, 2005
    #3
  4. :How could I set the pix up to block all outbound traffic
    :but http, https, smtp, pop3 ??

    object-group service generic_traffic_tcp tcp
    description the TCP traffic allowed out to everywhere
    port-object eq www
    port-object eq 443
    port-object eq smtp
    port-object eq 110

    access-list in2out remark traffic permitted from inside to outside
    access-list in2out permit tcp any any object-group generic_traffic_tcp

    access-group in2out in interface inside


    The above is what you -asked- for, but chances are excellent
    that you really won't like the result. I would suggest that you
    consider allowing domain name resolution service (DNS) as well.
     
    Walter Roberson, Oct 24, 2005
    #4
  5. J1C

    J1C Guest

    Ah, yes .. that would be helpful too. port-object eq DNS ?
     
    J1C, Oct 24, 2005
    #5
  6. :Ah, yes .. that would be helpful too. port-object eq DNS ?

    Please quote context. Articles expire, articles don't arrive or
    arrive out of order, people don't all use software that allows them
    to go back and see the context easily...

    : port-object eq DNS

    Not quite. It would be port-object eq domain
    However DNS service really runs over UDP instead of TCP for most purposes
    (except DNS Zone Transfers), so you would either code it directly

    access-list inside2outside permit udp any any eq domain

    or else you would create a 'service' object group of type 'udp'
    and port-object within that, and follow the tcp acl entry from
    before but with udp and the appropriate object name.
     
    Walter Roberson, Oct 24, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.